difftreelog
feat use builtin for getting secret
in: trunk
12 files changed
Cargo.lockdiffbeforeafterboth--- a/Cargo.lock
+++ b/Cargo.lock
@@ -723,15 +723,6 @@
checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
[[package]]
-name = "convert_case"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb402b8d4c85569410425650ce3eddc7d698ed96d39a73f941b08fb63082f1e7"
-dependencies = [
- "unicode-segmentation",
-]
-
-[[package]]
name = "cookie-factory"
version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -765,34 +756,6 @@
]
[[package]]
-name = "crossterm"
-version = "0.29.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d8b9f2e4c67f833b660cdb0a3523065869fb35570177239812ed4c905aeff87b"
-dependencies = [
- "bitflags",
- "crossterm_winapi",
- "derive_more",
- "document-features",
- "filedescriptor",
- "mio",
- "parking_lot",
- "rustix 1.1.2",
- "signal-hook",
- "signal-hook-mio",
- "winapi",
-]
-
-[[package]]
-name = "crossterm_winapi"
-version = "0.9.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "acdd7c62a3665c7f6830a51635d9ac9b23ed385797f70a83bb8bafe9c572ab2b"
-dependencies = [
- "winapi",
-]
-
-[[package]]
name = "crypto-common"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -932,27 +895,6 @@
dependencies = [
"powerfmt",
"serde_core",
-]
-
-[[package]]
-name = "derive_more"
-version = "2.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "093242cf7570c207c83073cf82f79706fe7b8317e98620a47d5be7c3d8497678"
-dependencies = [
- "derive_more-impl",
-]
-
-[[package]]
-name = "derive_more-impl"
-version = "2.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bda628edc44c4bb645fbe0f758797143e4e07926f7ebf4e9bdfbd3d2ce621df3"
-dependencies = [
- "convert_case",
- "proc-macro2",
- "quote",
- "syn",
]
[[package]]
@@ -976,15 +918,6 @@
"proc-macro2",
"quote",
"syn",
-]
-
-[[package]]
-name = "document-features"
-version = "0.2.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95249b50c6c185bee49034bcb378a49dc2b5dff0be90ff6616d31d64febab05d"
-dependencies = [
- "litrs",
]
[[package]]
@@ -1073,17 +1006,6 @@
checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
[[package]]
-name = "filedescriptor"
-version = "0.8.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e40758ed24c9b2eeb76c35fb0aebc66c626084edd827e07e1552279814c6682d"
-dependencies = [
- "libc",
- "thiserror 1.0.69",
- "winapi",
-]
-
-[[package]]
name = "find-crate"
version = "0.6.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -1128,7 +1050,6 @@
"chrono",
"clap",
"clap_complete",
- "crossterm",
"fleet-base",
"fleet-shared",
"futures",
@@ -1142,7 +1063,6 @@
"openssh",
"opentelemetry",
"opentelemetry_sdk",
- "owo-colors",
"peg",
"regex",
"serde",
@@ -1503,12 +1423,6 @@
checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
[[package]]
-name = "hermit-abi"
-version = "0.5.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fc0fef456e4baa96da950455cd02c081ca953b141298e41db3fc7e36b1da849c"
-
-[[package]]
name = "hex"
version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -1961,24 +1875,7 @@
dependencies = [
"memchr",
"serde",
-]
-
-[[package]]
-name = "is-terminal"
-version = "0.4.16"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e04d7f318608d35d4b61ddd75cbdaee86b023ebe2bd5a66ee0915f0bf93095a9"
-dependencies = [
- "hermit-abi",
- "libc",
- "windows-sys 0.59.0",
]
-
-[[package]]
-name = "is_ci"
-version = "1.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7655c9839580ee829dfacba1d1278c2b7883e50a277ff7541299489d6bdfdc45"
[[package]]
name = "is_terminal_polyfill"
@@ -2083,12 +1980,6 @@
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"
-
-[[package]]
-name = "litrs"
-version = "0.4.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f5e54036fe321fd421e10d732f155734c4e4afd610dd556d9a82833ab3ee0bed"
[[package]]
name = "lock_api"
@@ -2161,7 +2052,6 @@
checksum = "78bed444cc8a2160f01cbcf811ef18cac863ad68ae8ca62092e8db51d51c761c"
dependencies = [
"libc",
- "log",
"wasi 0.11.1+wasi-snapshot-preview1",
"windows-sys 0.59.0",
]
@@ -2428,16 +2318,6 @@
]
[[package]]
-name = "owo-colors"
-version = "4.2.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c6901729fa79e91a0913333229e9ca5dc725089d1c363b2f4b4760709dc4a52"
-dependencies = [
- "supports-color 2.1.0",
- "supports-color 3.0.2",
-]
-
-[[package]]
name = "papergrid"
version = "0.17.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -3335,27 +3215,6 @@
version = "1.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
-
-[[package]]
-name = "signal-hook"
-version = "0.3.18"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d881a16cf4426aa584979d30bd82cb33429027e42122b169753d6ef1085ed6e2"
-dependencies = [
- "libc",
- "signal-hook-registry",
-]
-
-[[package]]
-name = "signal-hook-mio"
-version = "0.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "34db1a06d485c9142248b7a054f034b349b212551f3dfd19c94d45a754a217cd"
-dependencies = [
- "libc",
- "mio",
- "signal-hook",
-]
[[package]]
name = "signal-hook-registry"
@@ -3449,25 +3308,6 @@
checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
[[package]]
-name = "supports-color"
-version = "2.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d6398cde53adc3c4557306a96ce67b302968513830a77a95b2b17305d9719a89"
-dependencies = [
- "is-terminal",
- "is_ci",
-]
-
-[[package]]
-name = "supports-color"
-version = "3.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c64fc7232dd8d2e4ac5ce4ef302b1d81e0b80d055b9d77c7c4f51f6aa4c867d6"
-dependencies = [
- "is_ci",
-]
-
-[[package]]
name = "syn"
version = "2.0.106"
source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -4170,12 +4010,6 @@
checksum = "f63a545481291138910575129486daeaf8ac54aee4387fe7906919f7830c7d9d"
[[package]]
-name = "unicode-segmentation"
-version = "1.12.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6ccf251212114b54433ec949fd6a7841275f9ada20dddd2f29e9ceea4501493"
-
-[[package]]
name = "unicode-width"
version = "0.1.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -4448,25 +4282,9 @@
"home",
"once_cell",
"rustix 0.38.44",
-]
-
-[[package]]
-name = "winapi"
-version = "0.3.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
-dependencies = [
- "winapi-i686-pc-windows-gnu",
- "winapi-x86_64-pc-windows-gnu",
]
[[package]]
-name = "winapi-i686-pc-windows-gnu"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
-
-[[package]]
name = "winapi-util"
version = "0.1.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -4474,12 +4292,6 @@
dependencies = [
"windows-sys 0.61.2",
]
-
-[[package]]
-name = "winapi-x86_64-pc-windows-gnu"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
[[package]]
name = "windows-core"
README.adocdiffbeforeafterboth--- a/README.adoc
+++ b/README.adoc
@@ -211,7 +211,7 @@
];
# And finally, I have secrets, which are shared between machines.
# Note that this example is somewhat wrong, as this goes not into the machine configuration, but to fleet configuration.
- sharedSecrets = {
+ secrets = {
"ca.pem" = {
# This is just the public key, no need to regenerate it to change owner list
regenerateOnOwnerAdded = false;
cmds/fleet/Cargo.tomldiffbeforeafterboth--- a/cmds/fleet/Cargo.toml
+++ b/cmds/fleet/Cargo.toml
@@ -28,12 +28,10 @@
async-trait = "0.1"
base64 = "0.22.1"
chrono = { version = "0.4", features = ["serde"] }
-crossterm = { version = "0.29.0", features = ["use-dev-tty"] }
futures = "0.3"
hostname = "0.4.1"
itertools = "0.14"
openssh = "0.11"
-owo-colors = { version = "4.2", features = ["supports-color", "supports-colors"] }
peg = "0.8"
regex = "1.11"
shlex = "1.3"
cmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth--- a/cmds/fleet/src/cmds/secrets/mod.rs
+++ b/cmds/fleet/src/cmds/secrets/mod.rs
@@ -11,11 +11,10 @@
fleetdata::{FleetSecretData, FleetSecretDistribution, FleetSecretPart, encrypt_secret_data},
host::Config,
opts::FleetOpts,
- secret::{Expectations, RegenerationReason, SharedSecretDefinition, secret_needs_regeneration},
+ secret::{Expectations, RegenerationReason, secret_needs_regeneration},
};
use fleet_shared::SecretData;
use nix_eval::{NixType, Value, nix_go, nix_go_json};
-use owo_colors::OwoColorize;
use serde::Deserialize;
use tabled::{Table, Tabled};
use tokio::{fs::read, task::spawn_blocking};
@@ -69,6 +68,7 @@
},
}
+/*
#[allow(clippy::too_many_arguments)]
#[tracing::instrument(skip(config, secret, definition, prefer_identities))]
async fn maybe_regenerate_shared_secret(
@@ -143,6 +143,7 @@
Ok(secret)
}
}
+*/
#[derive(Deserialize)]
#[serde(rename_all = "camelCase")]
@@ -314,6 +315,7 @@
}
}
}
+/*
async fn generate_shared(
config: &Config,
display_name: &str,
@@ -332,7 +334,7 @@
.await?,
owners: expectations.owners.clone(),
})
-}
+}*/
async fn parse_public(
public: Option<String>,
@@ -625,10 +627,11 @@
#[tabled(rename = "Owners")]
owners: String,
}
- let mut table = vec![];
+ // let mut table = vec![];
for name in configured.iter().cloned() {
let config = config.clone();
let data = config.shared_secret(&name).expect("exists");
+ /*
let definition = config.shared_secret_definition(&name)?;
let expectations = definition.expectations()?;
let owners = data
@@ -645,8 +648,9 @@
owners: owners.join(", "),
name,
})
+*/
}
- info!("loaded\n{}", Table::new(table).to_string())
+ // info!("loaded\n{}", Table::new(table).to_string())
}
Secret::Edit {
name,
crates/fleet-base/src/host.rsdiffbeforeafterboth--- a/crates/fleet-base/src/host.rs
+++ b/crates/fleet-base/src/host.rs
@@ -23,7 +23,6 @@
use crate::{
command::MyCommand,
fleetdata::{FleetData, FleetSecretData, FleetSecretDistribution, FleetSecretDistributions},
- secret::{HostSecretDefinition, SharedSecretDefinition},
};
pub struct FleetConfigInternals {
@@ -31,7 +30,7 @@
pub directory: PathBuf,
/// builtins.currentSystem
pub local_system: String,
- pub data: Mutex<FleetData>,
+ pub data: Arc<Mutex<FleetData>>,
pub nix_args: Vec<OsString>,
/// fleet_config.config
pub config_field: Value,
@@ -520,13 +519,6 @@
let nixos = self.nixos_unchecked_config()?;
let secrets = nix_go!(nixos.secrets);
secrets.list_fields()
- }
- pub fn secret_definition(&self, name: &str) -> Result<HostSecretDefinition> {
- let nixos = self.nixos_unchecked_config()?;
- Ok(HostSecretDefinition(
- self.name.clone(),
- nix_go!(nixos.secrets[{ name }]),
- ))
}
/// Packages for this host, resolved with nixpkgs overlays
@@ -665,12 +657,6 @@
pub fn shared_secret(&self, secret: &str) -> Option<FleetSecretDistributions> {
let data = self.data();
data.secrets.get(secret).cloned()
- }
- pub fn shared_secret_definition(&self, secret: &str) -> Result<SharedSecretDefinition> {
- let config_field = &self.config_field;
- Ok(SharedSecretDefinition(nix_go!(
- config_field.sharedSecrets[{ secret }]
- )))
}
// TODO: Should this be something modifiable from other processes?
crates/fleet-base/src/opts.rsdiffbeforeafterboth--- a/crates/fleet-base/src/opts.rs
+++ b/crates/fleet-base/src/opts.rs
@@ -211,7 +211,7 @@
}
let bytes =
std::fs::read_to_string(&fleet_data_path).context("reading fleet state (fleet.nix)")?;
- let data = Mutex::new(FleetData::from_str(&bytes)?);
+ let data = Arc::new(Mutex::new(FleetData::from_str(&bytes)?));
let mut fetch_settings = FetchSettings::new();
fetch_settings.set(c"warn-dirty", c"false");
@@ -239,8 +239,7 @@
let builtins_field = Value::eval("builtins")?;
let fleet_root = flake.get_field("fleetConfigurations")?;
- let data_val = Value::serialized(&data)?;
- let fleet_field = nix_go!(fleet_root.default(data_val));
+ let fleet_field = nix_go!(fleet_root.default(Obj {}));
let config_field = nix_go!(fleet_field.config);
crates/fleet-base/src/primops.rsdiffbeforeafterboth1use nix_eval::NativeFn;23#[derive(thiserror::Error, Debug)]4enum Error {}56struct Parts {7 encrypted: Vec<String>,8 public: Vec<String>,9}1011trait SecretsBackend {12 fn has_shared(&self, name: &str);13 fn has_host(&self, host: &str, name: &str);14 fn shared_parts(&self, name: &str) -> Parts;15 fn host_parts(&self, host: &str, name: &str) -> Parts;16}1718struct FsSecretsBackend {1920}2122pub fn init_primops() {23 NativeFn::new(24 c"fleet_ensure_secret",25 c"Ensure secret existence for a host, regenerating it in case of some mismatch",26 [27 c"host",28 c"secret",29 c"expected_parts",30 c"expected_encrypted_parts",31 c"generator",32 ],33 |[34 host,35 secret,36 expected_parts,37 expected_encrypted_parts,38 generator,39 ]| { 4041 todo!()42 },43 )44 .register();45}1use std::collections::HashMap;2use std::sync::{Arc, Mutex};34use nix_eval::{NativeFn, Value};56use crate::fleetdata::{FleetData, FleetSecrets};78#[derive(thiserror::Error, Debug)]9enum Error {}1011struct Parts {12 encrypted: Vec<String>,13 public: Vec<String>,14}1516trait SecretsBackend {17 fn has_shared(&self, name: &str);18 fn has_host(&self, host: &str, name: &str);19 fn shared_parts(&self, name: &str) -> Parts;20 fn host_parts(&self, host: &str, name: &str) -> Parts;21}2223struct FsSecretsBackend {}2425pub fn init_primops(secrets: Arc<Mutex<FleetData>>) {26 NativeFn::new(27 c"fleet_ensure_host_secret",28 c"Ensure secret existence for a host, regenerating it in case of some mismatch",29 [c"host", c"secret", c"generator"],30 |[host, secret, generator]| {31 todo!("ensure secret");32 Ok(Value::new_attrs(HashMap::from_iter([(33 "raw",34 Value::new_str("rawData"),35 )])))36 },37 )38 .register();39 NativeFn::new(40 c"fleet_ensure_host_secret",41 c"Ensure secret existence for a host, regenerating it in case of some mismatch",42 [c"host", c"secret", c"generator"],43 |[host, secret, generator]| {44 todo!("ensure secret");45 Ok(Value::new_attrs(HashMap::from_iter([(46 "raw",47 Value::new_str("rawData"),48 )])))49 },50 )51 .register();52}crates/fleet-base/src/secret.rsdiffbeforeafterboth--- a/crates/fleet-base/src/secret.rs
+++ b/crates/fleet-base/src/secret.rs
@@ -1,8 +1,6 @@
use std::collections::BTreeSet;
-use anyhow::Result;
use chrono::{DateTime, Utc};
-use nix_eval::{Value, nix_go, nix_go_json};
use crate::fleetdata::FleetSecretData;
@@ -12,63 +10,6 @@
pub generation_data: serde_json::Value,
pub public_parts: BTreeSet<String>,
pub private_parts: BTreeSet<String>,
-}
-
-pub struct HostSecretDefinition(pub(crate) String, pub(crate) Value);
-impl HostSecretDefinition {
- pub fn is_managed(&self) -> Result<bool> {
- let def = self.definition_value()?;
- Ok(!nix_go!(def.generator).is_null())
- }
- pub fn is_shared(&self) -> Result<bool> {
- let def = self.definition_value()?;
- Ok(nix_go_json!(def.shared))
- }
- pub fn expectations(&self) -> Result<Expectations> {
- let def = self.definition_value()?;
- let parts = nix_go!(def.parts);
-
- let mut public_parts = BTreeSet::new();
- let mut private_parts = BTreeSet::new();
- for part in parts.list_fields()? {
- if nix_go_json!(parts[&part].encrypted) {
- private_parts.insert(part.clone());
- } else {
- public_parts.insert(part.clone());
- }
- }
-
- Ok(Expectations {
- owners: BTreeSet::from([self.0.clone()]),
- generation_data: nix_go_json!(def.expectedGenerationData),
- public_parts,
- private_parts,
- })
- }
- pub fn definition_value(&self) -> Result<Value> {
- let value = &self.1;
- Ok(nix_go!(value.definition))
- }
-}
-
-pub struct SharedSecretDefinition(pub(crate) Value);
-impl SharedSecretDefinition {
- pub fn is_managed(&self) -> Result<bool> {
- let value = &self.0;
- Ok(!nix_go!(value.generator).is_null())
- }
- pub fn expectations(&self) -> Result<Expectations> {
- let value = &self.0;
- Ok(Expectations {
- owners: nix_go_json!(value.expectedOwners),
- generation_data: nix_go_json!(value.expectedGenerationData),
- public_parts: nix_go_json!(value.expectedPublicParts),
- private_parts: nix_go_json!(value.expectedPrivateParts),
- })
- }
- pub fn definition_value(&self) -> Value {
- self.0.clone()
- }
}
#[derive(thiserror::Error, Debug)]
modules/module-list.nixdiffbeforeafterboth--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -6,5 +6,4 @@
./nixos.nix
./nixpkgs.nix
./secrets.nix
- ./secrets-data.nix
]
modules/nixos/secrets.nixdiffbeforeafterboth--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -8,50 +8,26 @@
let
inherit (builtins)
hashString
- elemAt
- length
toJSON
- filter
;
inherit (lib.stringsWithDeps) stringAfter;
inherit (lib.options) mkOption literalExpression;
inherit (lib.lists) optional;
- inherit (lib.attrsets) mapAttrs mapAttrsToList;
- inherit (lib.modules) mkIf mkMerge;
+ inherit (lib.attrsets) mapAttrs;
+ inherit (lib.modules) mkIf;
inherit (lib.types)
submodule
str
attrsOf
nullOr
unspecified
- lazyAttrsOf
uniq
functionTo
package
- listOf
- bool
;
inherit (fleetLib.strings) decodeRawSecret;
sysConfig = config;
- secretPartDataType = submodule {
- options = {
- raw = mkOption {
- type = str;
- internal = true;
- description = "Encoded & Encrypted secret part data, passed from fleet.nix";
- };
- };
- };
- secretDataType = submodule {
- freeformType = lazyAttrsOf secretPartDataType;
- options = {
- shared = mkOption {
- description = "Is this secret owned by this machine, or propagated from shared secrets";
- default = false;
- };
- };
- };
secretPartType =
secretName:
submodule (
@@ -61,11 +37,6 @@
in
{
options = {
- encrypted = mkOption {
- type = bool;
- description = "Is this secret part supposed to be encrypted?";
- };
-
hash = mkOption {
type = str;
description = "Hash of secret in encoded format";
@@ -82,17 +53,17 @@
type = str;
description = "Secret public data (only available for plaintext)";
};
+ raw = mkOption {
+ type = str;
+ description = "Raw (encoded/encrypted secret part data)";
+ };
+ };
+ config = {
+ hash = hashString "sha1" config.raw;
+ data = decodeRawSecret config.raw;
+ path = "/run/secrets/${secretName}/${config.hash}-${partName}";
+ stablePath = "/run/secrets/${secretName}/${partName}";
};
- config =
- let
- raw = sysConfig.data.secrets.${secretName}.${partName}.raw;
- in
- {
- hash = hashString "sha1" raw;
- data = decodeRawSecret raw;
- path = "/run/secrets/${secretName}/${config.hash}-${partName}";
- stablePath = "/run/secrets/${secretName}/${partName}";
- };
}
);
secretType = submodule (
@@ -105,14 +76,9 @@
in
{
options = {
- shared = mkOption {
- type = bool;
- description = "Was this secret propagated from a shared secret?";
- };
parts = mkOption {
- type = lazyAttrsOf (secretPartType secretName);
+ type = attrsOf (secretPartType secretName);
description = "Definition of secret parts";
- default = { };
};
generator = mkOption {
type = uniq (nullOr (functionTo package));
@@ -134,47 +100,14 @@
description = "Group of the secret";
default = sysConfig.users.users.${config.owner}.group;
defaultText = literalExpression "config.users.users.$${owner}.group";
- };
- expectedGenerationData = mkOption {
- type = unspecified;
- description = "Data that gets embedded into secret part";
- default = null;
};
};
config = {
- shared = (sysConfig.data.secrets.${secretName} or { shared = false; }).shared;
- parts = mkMerge [
- (mkIf (config.generator != null)
- (
- # Get fake derivation body, in future it should be implemented the same way as in Rust.
- lib.callPackageWith (
- pkgs
- // {
- mkSecretGenerator = pkgs.stdenv.mkDerivation;
- mkImpureSecretGenerator = pkgs.stdenv.mkDerivation;
- }
- ) config.generator { }
- ).parts
- )
- (mapAttrs (_: _: { }) (
- removeAttrs (sysConfig.data.secrets.${secretName} or { }) [
- "shared"
- "managed"
- ]
- ))
- ];
+ parts = builtins.fleet_ensure_host_secret sysConfig.networking.hostName secretName config.generator;
};
}
);
- processPart = secretName: partName: part: {
- inherit (part) path stablePath;
- raw = config.data.secrets.${secretName}.${partName}.raw;
- };
- processSecret = secretName: secret: {
- inherit (secret.definition) group mode owner;
- parts = (mapAttrs (processPart secretName) (secret.definition.parts));
- };
- secretsData = (mapAttrs (processSecret) config.secrets);
+ secretsData = (mapAttrs (_: s: s.definition) config.secrets);
secretsFile = pkgs.writeTextFile {
name = "secrets.json";
text = toJSON secretsData;
@@ -185,11 +118,6 @@
in
{
options = {
- data.secrets = mkOption {
- type = attrsOf secretDataType;
- default = { };
- description = "Host-local secret data";
- };
secrets = mkOption {
type = attrsOf secretType;
default = { };
modules/secrets-data.nixdiffbeforeafterboth--- a/modules/secrets-data.nix
+++ /dev/null
@@ -1,95 +0,0 @@
-{
- lib,
- fleetLib,
- ...
-}:
-let
- inherit (fleetLib.options) mkDataOption;
- inherit (lib.options) mkOption;
- inherit (lib.types)
- nullOr
- listOf
- str
- attrsOf
- submodule
- bool
- unspecified
- ;
-
- secretDataValue = {
- options = {
- raw = mkOption {
- type = nullOr str;
- description = "Raw secret data in unspecified encoded and optionally encrypted format.";
- default = null;
- };
- };
- };
-
- sharedSecretData = {
- freeformType = attrsOf (submodule secretDataValue);
- options = {
- managed = mkOption {
- type = nullOr bool;
- description = "Is current fleet data value is generated by generator";
- default = null;
- };
-
- createdAt = mkOption {
- type = str;
- description = "Timestamp of secret generation/last rotation.";
- default = null;
- };
- expiresAt = mkOption {
- type = nullOr str;
- description = "Expiration timestamp triggering mandatory secret rotation.";
- default = null;
- };
-
- owners = mkOption {
- type = listOf str;
- description = ''
- List of hosts currently authorized to decrypt this shared secret.
-
- If owners differ from expected owners, the secret is considered outdated
- and requires regeneration or re-encryption.
- '';
- default = [ ];
- };
- generationData = mkOption {
- type = unspecified;
- description = "Contextual metadata associated with secret part.";
- default = null;
- };
- };
- };
-
- managerKey = {
- options = {
- name = mkOption {
- type = str;
- description = "Who does this manager key belongs to.";
- };
- key = mkOption {
- type = str;
- description = "Age-compatible key";
- };
- };
- config = { };
- };
-in
-{
- options.data = mkDataOption ({ config, ... }:
- {
- options = {
- managerKeys = mkOption {
- type = listOf (submodule managerKey);
- };
- secrets = mkOption {
- type = attrsOf (listOf submodule sharedSecretData);
- default = { };
- description = "Shared secret data.";
- };
- };
- });
-}
modules/secrets.nixdiffbeforeafterboth--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -5,7 +5,6 @@
let
inherit (lib.options) mkOption literalExpression;
inherit (lib.types)
- unspecified
nullOr
listOf
str
@@ -66,22 +65,7 @@
An input to this function - `pkgs` of a generator host with implementation-defined representation of extra encryption data,
use `mkSecretGenerator` helpers to implement own generators.
'';
- default = null;
- };
- expectedGenerationData = mkOption {
- type = unspecified;
- description = "Contextual metadata embedded within the secret part value";
default = null;
- };
- expectedPrivateParts = mkOption {
- type = listOf str;
- default = [ ];
- description = "List of parts that are expected to be encrypted";
- };
- expectedPublicParts = mkOption {
- type = listOf str;
- default = [ ];
- description = "List of parts that are expected to be public";
};
};
};